Introduction to Cryptography Lecture 9 - pinkas.net April 8, 2008 Introduction to Cryptography, Benny Pinkas page 1 Introduction to Cryptography Lecture 9 Rabin encryption, Digital

1

page 1April 8, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to CryptographyLecture 9

Rabin encryption, Digital signatures,Public Key Infrastructure (PKI)

Benny Pinkas

2


Rabin’s encryption systems

• Key generation: – Private key: random primes p,q (e.g. 512 bits long).– Public key: N=pq.

• Encryption:– Plaintext m∈ ZN

*.– Ciphertext: c = m2 mod N. (very efficient)

• Decryption: Compute c1/2 mod N.

3


Square roots modulo N

• ⇒⇒⇒⇒ Let x be a quadratic residue (QR) modulo N=pq, then– x mod p is a QR mod p. x mod q is a QR mod q– x mod p has two roots mod p: y and p - y– x mod q has two roots mod q: z and q - z

• ⇐⇐⇐⇐ If x is a QR mod p and mod q, it is also a QR mod N. (Follows from the Chinese remainder theorem.)

4



• If x has a square root modulo N then it has 4 different square roots modulo N.– Let A be s.t. A2=x mod N. – Let c be s.t. c=1 mod p, c=-1 mod q.– Then A, -A, cA, -cA are all square roots of x modulo N.

• Each combination of roots modulo p and q results in a root modulo N. – x therefore has four roots modulo pq:– (y,z) -> A, (p - y, q - z) -> pq – A– (y, q - z) -> B, (p – y, z) -> pq – B

= (y,z) · (1,-1)

5



• Exactly ¼ of the elements are QR mod N.– QRN = QRp × QRq. |QRN| = (p-1)(q-1)/4

• Assume that p=q=3 mod 4. (Blum integers.)– Then it is easy to see that exactly one of the four roots is a

QR mod N.• Note that -1 is an NQR mod p and mod q (Euler’s thm).• Let one of the square roots of x modulo N be A.• Then the other square roots are -A, cA, -cA, where c=1 mod

p, c=-1 mod q.• Assume that A is a QR mod N, and therefore it is a QR p and

a QR mod q. Then none of the other roots is a QR mod p and a QR mod q.

6


Finding square roots modulo N

• Need to compute y=x1/2 mod N. • Suppose we know (the private key) p, q.

– Compute the roots of x modulo p, q. Use Chinese remainder theorem to find x.

• Computing square roots in Zp*,

– Recall, x∈QRp iff x(p-1)/2=1 mod p.– Assume p=3 mod 4. (p is a Blum integer).– Compute the root as y=x(p+1)/4 mod p.

• (p+1)/4 is an integer• y2 = (x(p+1)/4)2 = x(p+1)/2 = x(p-1)/2x = x

– If p=1 mod 4 the computation is more complicated (no deterministic algorithm is known)

7


Decryption of Rabin cryptosystem

• Input: c, p, q. (p=q=3 mod 4)• Decryption:

– Compute mp =c(p+1)/4 mod p.– Compute mq =c(q+1)/4 mod q.– Use CRT to compute the four roots mod N, i.e. four values

mod N corresponding to (mp ,mq), (p-mp ,mq), (mp ,q-mq), (p-mp ,q-mq).

• There are four possible options for the plaintext!– The receiver must select the correct plaintext– This can be solved by requiring the sender to embed

some redundancy in m• E.g., a string of bits of specific form

• Make sure that m is always a QR

8


Security of the Rabin cryptosystem

• Good news:– The Rabin cryptosystem is secure against passive attacks

iff factoring is hard. ☺

• Bad news:– The Rabin cryptosystem is completely insecure against

chosen-ciphertext attacks �

9


Security of the Rabin cryptosystem

• Security against chosen plaintext attacks• Suppose there is an adversary that completely breaks the system

– Adversary’s input: N, c– Adversary’s output: m s.t. m2= c mod N.

• We show a reduction showing that given this adversary we can break the factoring assumption.

• I.e., we build an algorithm:– Input: N– Operation: can ask queries to the Rabin decryption oracle– Output: the factoring of N.

• Therefore, if one can break Rabin’s cryptosystem it can also solve factoring.

• Therefore, if factoring is hard the Rabin cryptosystem is “secure”in the sense defined here.

10


The reduction

• Input: N• Operation:

– Choose random x.– Send N and c=x2 mod N, to adversary.– Adversary answers with y s.t. c=y2 mod N.– If y=x or y=N-x, go back to step 1.– Otherwise

• x2 - y2 = 0 mod N.

• 0 ≠ (x-y)(x+y) = cN = cpq.

• Compute gcd(x+y,N) , gcd(x-y,N) and obtain p or q.

• (The gcd is not N since 0<x,y<N, and therefore –N < x+y,x-y < 2N, and it is known that x+y,x-y≠0,N).

happens with prob 1/2

11


Insecurity against chosen-ciphertext attacks

• A chosen-ciphertext attack reveals the factorization of N.• The attacker’s challenge is to decrypt a ciphertext c. • It can ask the receiver to decrypt any ciphertext except c.• The attacker can use the receiver as the “adversary” in the

reduction, namely– Chooses a random x and send c=x2 mod N to the receiver– The receiver returns a square root y of c– With probability ½, x ≠ y and x ≠ -y. In this case the attacker

can factor N by computing gcd(x-y,N).

– (The attack does not depend on homomorphic properties of the ciphertext. Namely, it is not required that E(x)E(y)=E(xy).)

12


Comparing RSA and Rabin encryption

• RSA encryption is infinitely more popular than Rabin encryption (also more popular than El Gamal)

• Advantage of Rabin encryption: it seems more secure, security of Rabin is equivalent to factoring and we don’t know to show that for RSA.

• Advantages of RSA– RSA is a permutation, whereas decryption in Rabin is

more complex– Security of Rabin is only proven for encryption as C=M2

mod N, and this mode• does not enable to identify the plaintext• is susceptible to chosen ciphertext attack.

13


Digital Signatures

14


Handwritten signatures

• Associate a document with an signer (individual)• Signature can be verified against a different signature

of the individual• It is hard to forge the signature…• It is hard to change the document after it was signed…• Signatures are legally binding

15


Desiderata for digital signatures

• Associate a document to an signer

• A digital signature is attached to a document (rather then be part of it)

• The signature is easy to verify but hard to forge– Signing is done using knowledge of a private key– Verification is done using a public key associated with the

signer (rather than comparing to an original signature)– It is impossible to change even one bit in the signed

document • A copy of a digitally signed document is as good as the

original signed document.• Digital signatures could be legally binding…

16


Non Repudiation

• Prevent signer from denying that it signed the message• I.e., the receiver can prove to third parties that the

message was signed by the signer

• This is different than message authentication (MACs)– There the receiver is assured that the message was sent

by the receiver and was not changed in transit– But the receiver cannot prove this to other parties

• MACs: sender and receiver share a secret key K

• If R sees a message MACed with K, it knows that it could have only been generated by S

• But if R shows the MAC to a third party, it cannot prove that the MAC was generated by S and not by R

17


Signing/verification process

Document Msigning

algorithm

Private signature key

Signature of M

Public verification key

verification

algorithm

valid / invalid

signer

verifier Signature depends on M

18


Diffie-Hellman “New directions in cryptography” (1976)

• In public key encryption– The encryption function is a trapdoor permutation f

• Everyone can encrypt = compute f(). (using the public key)

• Only Alice can decrypt = compute f- -1(). (using her private key)

• Alice can use f for signing– Alice signs m by computing s=f -1(m).– Verification is done by computing m=f(s).

• Intuition: since only Alice can compute f- -1(), forgery is infeasible.

• Caveat: none of the established practical signature schemes following this paradigm is provably secure

19


Example: simple RSA based signatures

• Key generation: (as in RSA)– Alice picks random p,q. Finds e·d=1 mod (p-1)(q-1).– Public verification key: (N,e)– Private signature key: d

• Signing: Given m, Alice computes s=md mod N.

• Verification: given m,s and public key (N,e).– Compute m’ = se mod N.– Output “valid” iff m’=m.

20


Message lengths

• A technical problem: – |m| might be longer than |N|– m might not be in the domain of f -1()

Solution “hash-and-sign” paradigm:• Signing: First compute H(m), then compute the

signature f -1(H(M)). Where, – The range of H() must be contained in the domain of f -1().– H() must be collision intractable. I.e. it is hard to find m, m’

s.t. H(m)=H(m’).• Verification:

– Compute f(s). Compare to H(m).

• Use of H() is also good for security reasons. See below.

21


Security of using a hash function

• Intuitively– Adversary can compute H(), f(), but not H -1(), f -1().– Can only compute (m,H(m)) by choosing m and computing H().– Adversary wants to compute (m ,f -1(H(m))).– To break signature needs to show s s.t. f(s)=H(m). (E.g. se=H(m).)

– Failed attack strategy 1:• Pick s, compute f(s), and look for m s.t. H(m)=f(s).

– Failed attack strategy 2:• Pick m,m’ s.t. H(m)=H(m’). Ask for a signature s of m’

(which is also a signature of m). • (If H() is not collision resistant, adversary could find m,m’

s.t. H(m) = H(m’).)– This does not mean that the scheme is secure, only that these attacks

fail.

22


Security definitions for digital signatures

• Attacks against digital signatures

– Key only attack: the adversary knows only the verification key

– Known signature attack: in addition, the adversary has some message/signature pairs.

– Chosen message attack: the adversary can ask for signatures of messages of its choice (e.g. attacking a notary system). (Seems even more reasonable than chosen message attacks against encryption.)

23


Security definitions for digital signatures

• Several levels of success for the adversary– Existential forgery: the adversary succeeds in forging the

signature of one message.– Selective forgery: the adversary succeeds in forging the

signature of one message of its choice.– Universal forgery: the adversary can forge the signature of

any message.– Total break: the adversary finds the private signature key.

• Different levels of security, against different attacks, are required for different scenarios.

24


Example: simple RSA based signatures

• Key generation: (as in RSA)– Alice picks random p,q. Defines N=pq and finds e·d=1

mod (p-1)(q-1).– Public verification key: (N,e)– Private signature key: d

• Signing: Given m, Alice computes s=md mod N. • (suppose that there is no hash function H())

• Verification: given m,s and public key (N,e).– Compute m’ = se mod N.– Output “valid” iff m’=m.

25


Attacks against plain RSA signatures

• Signature of m is s=md mod N.

• Universally forgeable under a chosen message attack:– Universal forgery: the adversary can forge the signature of

any message of its choice.– Chosen message attack: the adversary can ask for

signatures of messages of its choice.

• Existentially forgeable under key only attack.– Existential forgery: succeeds in forging the signature of at

least one message.– Key only attack: the adversary knows the public

verification key but does not ask any queries.

26


RSA with a full domain hash function

• Signature is sig(m) = f -1(H(m)) = (H(m))d mod N.– H() is such that its range is [1,N]

• The system is no longer homomorphic– sig(m) · sig(m’) ≠ sig(m·m’)

• Seems hard to generate a random signature – Computing se is insufficient, since it is also required to

show m s.t. H(m) = se.

• Proof of security in the random oracle model – where H() is modeled as a random function

27


RSA with full domain hash –proof of security

• Claim: Assume that H() is a random function, then if there is a polynomial-time A() which performs existential forgery with non-negligible probability, then it is possible to invert the RSA function, on a random input, with non-negligible probability.

• Proof:– Our input: y. Should compute yd mod N.– A() queries H() and a signature oracle sig(), and generates

a signature s of a message for which it did not query sig().– Suppose A() made at most t queries to H(), asking for

H(m1),…,H(mt ). Suppose also that it always queries H(m) before querying sig(m). (In particular, it asked for H(s).)

– We will show how to use A() to compute yd mod N.

28



• Proof (contd.) • Let us first assume that A always forges the signature of mt (the last

query it sends to H() ), – We can decide how to answer A’s queries to H(),sig().– Answer queries to H() as follows:

• The answer to the tth query (mt) is y.

• The answer to the jth query (j<t) is (rj)e, where rj is random.

– Answer to sig(m) queries:• These are only asked for mj where j<t. Answer with rj. (Indeed sig(mj)=

(H(mj))d = rj )

– A’s output is (mt,s).• If s is the correct signature, then we found yd.

• Otherwise we failed.

– Success probability the same as the success probability of A().

29



• Proof (without assuming which mi A will try to sign)– We can decide how to answer A’s queries to H(),sig().– Choose a random i in [1,t], answer queries to H() as follows:

• The answer to the ith query (mi) is y.

• The answer to the jth query (j≠i) is (rj)e, where rj is random.

– Answer to sig(m) queries:• If m=mj, j≠i, then answer with rj. (Indeed sig(mj)= (H(mj))

d = rj )

• If m=mi then stop. (we failed)

– A’s output is (m,s).• If m=mi and s is the correct signature, then we found yd.

• Otherwise we failed.

– Success probability is 1/t times success probability of A().

30


Rabin signatures

• Same paradigm:– f(m) = m2 mod N. (N=pq).– Sig(m) = s, s.t. s2 = m mod N. I.e., the square root of m.

• Unlike RSA, – Not all m are QR mod N. – Therefore, only ¼ of messages can be signed.

• Solutions:– Use random padding. Choose padding until you get a QR.– Deterministic padding (Williams system).

• A total break given a chosen message attack. (show)• Must therefore use a hash function H as in RSA.

31


El Gamal signature scheme

• Invented by same person but different than the encryption scheme. (think why)

• A randomized signature: same message can have different signatures.

• Based on the hardness of extracting discrete logs

• The DSA (Digital Signature Algorithm/Standard) that was adopted by NIST in 1994 is a variation of El-Gamal signatures.

32


El Gamal signatures

• Key generation:– Work in a group Zp

* where discrete log is hard. – Let g be a generator of Zp

*.– Private key 1 < a < p-1.– Public key p, g, y=ga.

• Signature: (of M)– Pick random 1 < k < p-1, s.t. gcd(k,p-1)=1.– Compute m=H(M).

• r = gk mod p.

• s = (m - r·a)·k -1 mod (p-1)

– Signature is r, s.

33


El Gamal signatures

• Signature:– Pick random 1 < k < p-1, s.t. gcd(k,p-1)=1.– Compute

• r = gk mod p.

• s = (m - r·a)·k-1 mod (p-1)

• Verification:– Accept if

• 0 < r < p

• yr · rs = gm mod p

• It works since yr·rs = (ga)r ·(gk)s = gar ·gm-ra = gm

• Overhead: – Signature: one (offline) exp. Verification: three exps.

same r in both places!

34


El Gamal signature: comments

• Can work in any finite Abelian group– The discrete log problem appears to be harder in elliptic

curves over finite fields than in Zp* of the same size.– Therefore can use smaller groups ⇒ shorter signatures.

• Forging: find yr · rs = gm mod p– E.g., choose random r = gk and either solve dlog of gm/yr to

the base r, or find s=k-1(m - loggy · r) (????)• Notes:

– A different k must be used for every signature– If no hash function is used (i.e. sign M rather than

m=H(M)), existential forgery is possible– If receiver doesn’t check that 0<r<p, adversary can sign

messages of his choice.

Introduction to Cryptography Lecture 9 - pinkas.net April 8, 2008 Introduction to Cryptography, Benny Pinkas page 1 Introduction to Cryptography Lecture 9 Rabin encryption, Digital

Documents